Reporting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Generating reports where multiple number of hosts are present

shreeCS
New Member
‎09-12-2013 11:02 PM

Hi,

I have individual persons data available in the form of csv files. Here i want to generate reports on those data.So i uploaded those csv files on to splunk for indexing and creating reports.
I uploaded each person's csv files this way - Add data->From-Files&Directories -> Upload&IndexFile -> More Settings -> SourceType-> from list > csv .
So csv files are uploaded successfully.Here i made each person's data available in different host i.e.,Prson A's host as A ,person B's host as B ,person C's host as C and so on.

Here is the sample entries for person A:

 Day  Date       InTime  OutTime
 Sun  1.08.2013   8:33    17:39
 Mon  2.03.2013   8:38    17:40
 Tue  2.03.2013   8:33    19:28
 Wed  2.03.2013   8:32    17:37
        .
        .
        .

Each person is having the same fields with different values.Here I took only person A's data and calculated the difference between InTime & OutTime.The query is below:

host="A" | convert mstime(OutTime) AS otime | convert mstime(InTime) AS itime |eval durationHrs=(otime - itime )/60 | timechart values(durationHrs) As myDurationHrs

This is working fine.If i want come up with report which includes each person's data and i wanted to calculate each person's Average durationHrs (i.e.,durationHrs=(otime - itime )/60 and avg(durationHrs)),how to do that,because here i have each host representing each persons.If my persons count is more than 10 or something,how to combine them in a single query (like - host="A"host="B" host="C" ... host="Z")?
At the end i want in a chart should show the average_durationHrs for each person.

How to do this?

Tags (1)
0 Karma
Reply

gfuente
Motivator
‎09-12-2013 11:54 PM

Hello

Instead of host="A" at the beggining of the query you should use the sourcetype (that should be the same for all of them, if you indexed them right), lets say sourcetype="hostdata". Then you will be queriying all the data at the same time

And, at the end of the query you need to add the "by" clause to split the data by the criteria you want. 

...| timechart values(durationHrs) As myDurationHrs by host

Regards

0 Karma
Reply
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...